Passkeys can’t be phished, or shoulder peeped, or entered on a malicious domain. And for the layman, it means they can’t forget their password.
Technically the place where you store your passkeys can be hacked into, but there is no technology that protects against that. You could give a tech layman 5FA and he’ll give all 5 factors to the nice man on the phone call.
It cuts out the necessity for a password manager browser extension to handle stuff like autofill, password generation, etc. Those extensions have had fairly significant vulnerabilities in the past. So you're reducing the attack surface, as well as getting a cryptographic guarantee against phishing (the signature the client returns include the domain that sent the challenge).
Edit: The other great part is that the server just stores your public key, so it's idiot proof on their end. It makes a breach effectively useless, since offline cracking is impossible.
Except now you have vendor, browser and device lock in. So password managers are required to solve those very real problems anyway.
The value of these seem very low. Passkeys are a solution looking for a problem.
Mayve 10 years ago before password managers became a thing they made more sense? Now they're just kind of annoying and hard to share (sharing passwords is a real need for many people /applications / services)
Except we're talking about protections against phishing, and as much as I love the clipboard it will paste anywhere you like, including definitely wrong and evil places.
You're wrong, with password managers you can definitely be phished. Unless it's literally impossible to extract the password to enter it manually, but I don't think password managers make that impossible (and if it's possible, users will do it).
Could you expand on how to trick a password manager to enter the password on a fake domain ?
I'd see having the user add the domain themselves, or get the user to copy/past the password themselves on some other form. But the phishing is not happening on the password manager side, and these use cases still exist even after you chose passkeys (i.e. I'd still need to somewhat log into Google's auth from my Nest hub for instance to have it show the calendar)
It happens to me very regularly that a password in my password manager is needed on a different domain. Maybe the logon process is at id.domain.com and password is pinned to domain.com, or maybe the password was created at signup.domain.com and so it doesn't pop up on domain.com, or you have to log in to a hotel's site with the password from their reward scheme (different domain), etc...
In any case users are trained by the internet to need to search for the right password outside the pinned domains. Most of the time I guarantee people don't add the extra domains to the password records. So when a phishing site pops up they'll do the same: search for the site name/domain that they think they're logging into and go from there.
Password managers solve password reuse, weak passwords, etc. but IMO do not solve phishing, especially not for the kind of user who's most susceptible t it (little technical understand, hates this stuff, just wants to follow instructions and not deal with it), but passkeys might.
At least on Bitwarden you can just edit the domain if that comes up a lot for you (or even add multiple domains to a password). I'd rather do that than copy/paste on a regular basis. Honestly I can't say I ever copy/paste.
Yeah, I do this too, but many people I know wouldn't even think about the fact that they could do that, or why they would. They just know that whatever password manager they use doesn't find the password but if they search for it, it's there. So they do that and get on with their lives, inadvertently opening up an avenue for phishing.
These issues won't be solved unless passkeys work absolutely everywhere the user has to authenticate. Logon required or weird and funky domains is currently due to service providers being a mess themselves (I'm looking at you, Microsoft). So should we expect them to miraculously get their act together and have each of these system flawlessly work with their passkey auth. from now on ?
That's where I think we're stuck with that class of issue for as long as there are multiple auth systems, passkeys or not.
There can be vulnerabilities, this is clearly the hottest attack surface of password managers. I remember a few years ago Tavis Ormandy from Google Project Zero found such vulnerabilities in a bunch of the most popular password managers which allowed to steal credentials from a rogue website.
I'd still recommend using a password manager, as overall and in practice the risk of phishing and (re)using (weak) passwords is far greater than this kind of rare vulnerabilities (and also I work for a company that makes a password manager ^^)
The metaphor might be a bit esoteric, but that's similar to wishing that Hardware Security Modules (HSMs) allowed you "get your <private keys>" out of the HSM. As sibling comment says, that's how you get phished. The whole point of an HSM (and a passkey) is that the super-secret private part never leaves the HSM no matter how nicely you ask and no matter how compromised the machine is.
A password manager, OTOH, is happy to hand out your private key ("password" in this case) to anyone that has access to it.
It's a middle ground. You should be able to move passkeys from one vendor to another with some export process but the secret key is not exposed when you use it which reduces the risk of having it stolen
It's not that kind of impossible. It means that even if you are tricked into giving your passkey to the attacker, it's cryptographically useless to the attacker because a passkey is bound to a specific origin.
True, but it also opens me up to using the same password on all machines I use. You can argue that’s a negative, but personally I like being able to add a new machine to my collection without worrying about who the vendor is.
>> Passkeys can’t be phished, ..., or entered on a malicious domain.
> Neither can passwords if you're using a password manager to handle them.
This is absolutely not true, it depends heavily on usage patterns of the password manager and its features. Not all are browser extensions that autofill, and even if they did, sites change their domains for auth occasionally that break this functionality (or more often, signup is on a different domain from auth) meaning you must manually copy-paste your password somewhat often if you don't meticulously, and manually, maintain your domain list for a credential. The average person is *not* going to do that, they're going to go "huh, it broke again" and copy paste their randomly generated password.
Please, do not give security advice you are not equipped to handle.
> Passkeys have no easy way to extract the private key and do not request to enter the private key to authenticate.
Sure the do. All somebody needs is the password to your password manager. It's a single point of failure and by putting your passkeys in there to you've made it even more vulnerable.
Do you put a passkey on your password manager that exists outside of that ecosystem? Once you have that why not just use it for everything?
The parent wasn't giving security advice. They were asking a valid question.
> Sure the do. All somebody needs is the password to your password manager. It's a single point of failure and by putting your passkeys in there to you've made it even more vulnerable.
Not more vulnerable than if they were just using password. You're still missing my point, password managers do not give you the ability to just copy-paste the private key of a passkey into a form field, unlike passwords. Some don't give you access to it at all (*cough* Apple *cough*). Sure you can get the private key if you have access to the password managers vault, but that's not what's being talked about. Common usage patterns matter immensely in security. At the end of the day, the attack surface for passkey-based authentication is smaller than password-based authentication, which is a step in the right direction.
> The parent wasn't giving security advice. They were asking a valid question.
The parent made a blatantly false and dangerous statement and then followed it up with a question. Did we read the same comment?
I agree that it's not more vulnerable than just using a password, I'm only saying that it's only slightly less vulnerable under the best circumstances and incredibly more vulnerable under the worst circumstances (ie. if somebody got ahold of your password manager).
I also agree that passkey-based authentication provides a smaller attack surface than purely password-based authentication.
But putting the passkey on a second device provides an even smaller attack surface since now a bad actor needs both your device (or a MITM attack) and your password.
This is an HN forum. Nobody's giving "security advice," but I do feel like the parent comment's question hasn't been answered. Why would one store passkeys in their password manager instead of on a separate device?
> I agree that it's not more vulnerable than just using a password, I'm only saying that it's only slightly less vulnerable under the best circumstances and incredibly more vulnerable under the worst circumstances (ie. if somebody got ahold of your password manager).
I feel like we might have a mismatch in understanding what a passkey is. You make a new keypair for each account to authenticate to. A leaked passkey is generally no more vulnerable than a password when leaked.
> But putting the passkey on a second device provides an even smaller attack surface since now a bad actor needs both your device (or a MITM attack) and your password.
Correct. The gold standard is a hardware secured, non-cloud synced private key.
> This is an HN forum. Nobody's giving "security advice,"
It's a technical forum with statements on a technical topic. Making statements like that can always be misinterpreted as technical advice by default.
> but I do feel like the parent comment's question hasn't been answered. Why would one store passkeys in their password manager instead of on a separate device?
This is fair. The answer is: convenience. It is most definitely worse security posture to sync passkeys than to store them on a separate, physical device that can answer challenges without leaking the private key.
The reason to use them over passwords is they are more secure, even when synced to a cloud vault.
Thanks for helping to clarify what we're talking about. I disagree with some of what you're saying, but I also see where you're coming from re: the convenience of passkeys in your pw manager.
Technically the place where you store your passkeys can be hacked into, but there is no technology that protects against that. You could give a tech layman 5FA and he’ll give all 5 factors to the nice man on the phone call.